Hi,
How can we configure Rapid7 to ensure that all alerts related to specific critical users are assigned ‘Critical’ severity, prioritized, and trigger email notifications?
insightConnect in this case.
Create a webhook that is being triggered on all incoming alerts.
Create a global artifact.
If match increase criticality of event.
1 Like
I second @sgroeneveld approach.
If you already have workflows running automatically for your alerts, you can also just build an ICON workflow that will check all the investigations opened, use the same global artifact, and update the criticality of the investigation if you have a match on the actor/user
Also have a look into the possibility of triggering workflows from 1 workflow.
We use a python script (simple: IF alert = A trigger workflow A).
Otherwise it might get crowded in the workflow itself.
@sgroeneveld any option via InsightIDR itself?
Not that I am aware of. In any case I would add the user to the watchlist.
You can also create a bunch / copy rules and only make them work for a selected group of users. These will be hardcoded which might be a problem.
ICON isn’t that hard to learn and we use it a lot for administrative data loads etc. Worth to look into it.
Thinking about it, what you can do perhaps is create a specific IDR user that receives email per alert (like a normal user with the lowest privileges). Monitor the inbox with whatever tool you have (like Google Mail); forward to a specialy Slack / Team channel IF name === xxx
Not bullit proof I think, but maybe it helps you on the right path.
I do have created user watchlist for specific user which are integrated via AD, but user watchlist addition only results in reflecting ingress/authentications alerts not others
@david_smith @Eric-Wilson @Darrick_Hall @landon_dalke1 @antmar904 @tyler_terenzoni any suggestions?
I am not aware of any capability within IDR to do this. You have to step outside of the IDR platform itself.
You have a few options.
You could poll the alerts/investigations api using a script. Set it to run on as a scheduled task. You will need to build in deduplication and logic to ensure it is only happening for new investigations/alerts. Your script can have the lookup list built into it, so that it is checking.
You can use ICON instead. We have an Investigation Created Trigger, an Alert Created Trigger, and the Universal Data Exporter as triggering options. When a new event happens it will need to reference a list somewhere. The easiest method is a Global Artifact. Check the list, do they exist, if yes, then do the thing.
If you don’t like global artifacts you could leverage JQ with hard coded list, or python as well.
I don’t really see a reason that you would tackle this anywhere except ICON, unless you don’t actually own an InsightConnect license.